[Swan-dev] New Defects reported by Coverity Scan for antonyantony/libreswan
scan-admin at coverity.com
scan-admin at coverity.com
Thu Apr 6 01:51:29 EEST 2023
Hi,
Please find the latest report on new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
3 new defect(s) introduced to antonyantony/libreswan found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)
** CID 1537106: (OVERRUN)
/programs/pluto/kernel_xfrm.c: 702 in kernel_xfrm_policy_add()
________________________________________________________________________________________________________
*** CID 1537106: (OVERRUN)
/programs/pluto/kernel_xfrm.c: 702 in kernel_xfrm_policy_add()
696 req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
697 req.n.nlmsg_len = NLMSG_SPACE(sizeof(struct xfrm_userpolicy_info));
698 struct xfrm_userpolicy_info *info = NLMSG_DATA(&req.n);
699 set_xfrm_selectors(&info->sel, src_client, dst_client);
700
701 /* The caller should have set the proper priority by now */
>>> CID 1537106: (OVERRUN)
>>> Overrunning array of 16 bytes at byte offset 16 by dereferencing pointer "info".
702 info->priority = kernel_policy->priority.value;
703 dbg("%s() IPsec SA SPD priority set to %d", __func__, info->priority);
704
705 info->action = xfrm_action;
706 /* info->lft.soft_use_expires_seconds = deltasecs(use_lifetime); */
707 info->lft.soft_byte_limit = XFRM_INF;
/programs/pluto/kernel_xfrm.c: 780 in kernel_xfrm_policy_add()
774 * Add mark policy extension if present.
775 *
776 * XXX: again, can't the caller decide this?
777 *
778 * XXX: identical code in policy_add(), time to share?
779 */
>>> CID 1537106: (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 443 using argument "req.n.nlmsg_len" (which evaluates to 444).
780 add_xfrmi_marks(&req.n, sa_marks, xfrmi, xfrm_dir, sizeof(req.data));
781 add_sec_label(&req.n, sec_label);
782
783 bool ok = sendrecv_xfrm_policy(&req.n, what_about_inbound, policy_name,
784 (dir == DIRECTION_OUTBOUND ? "(out)" : "(in)"),
785 logger);
/programs/pluto/kernel_xfrm.c: 781 in kernel_xfrm_policy_add()
775 *
776 * XXX: again, can't the caller decide this?
777 *
778 * XXX: identical code in policy_add(), time to share?
779 */
780 add_xfrmi_marks(&req.n, sa_marks, xfrmi, xfrm_dir, sizeof(req.data));
>>> CID 1537106: (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 443 using argument "req.n.nlmsg_len" (which evaluates to 444).
781 add_sec_label(&req.n, sec_label);
782
783 bool ok = sendrecv_xfrm_policy(&req.n, what_about_inbound, policy_name,
784 (dir == DIRECTION_OUTBOUND ? "(out)" : "(in)"),
785 logger);
786
/programs/pluto/kernel_xfrm.c: 783 in kernel_xfrm_policy_add()
777 *
778 * XXX: identical code in policy_add(), time to share?
779 */
780 add_xfrmi_marks(&req.n, sa_marks, xfrmi, xfrm_dir, sizeof(req.data));
781 add_sec_label(&req.n, sec_label);
782
>>> CID 1537106: (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 443 using argument "req.n.nlmsg_len" (which evaluates to 444).
783 bool ok = sendrecv_xfrm_policy(&req.n, what_about_inbound, policy_name,
784 (dir == DIRECTION_OUTBOUND ? "(out)" : "(in)"),
785 logger);
786
787 /*
788 * ??? deal with any forwarding policy.
/programs/pluto/kernel_xfrm.c: 807 in kernel_xfrm_policy_add()
801 if (kernel_policy->shunt == SHUNT_IPSEC &&
802 kernel_policy->mode == ENCAP_MODE_TRANSPORT) {
803 break;
804 }
805 dbg("xfrm: %s() adding policy forward (suspect a tunnel)", __func__);
806 info->dir = XFRM_POLICY_FWD;
>>> CID 1537106: (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 443 using argument "req.n.nlmsg_len" (which evaluates to 444).
807 ok &= sendrecv_xfrm_policy(&req.n, what_about_inbound,
808 policy_name, "(fwd)", logger);
809 break;
810 default:
811 break; /*no-op*/
812 }
** CID 1537105: Memory - illegal accesses (OVERRUN)
/programs/pluto/kernel_xfrm.c: 735 in kernel_xfrm_policy_add()
________________________________________________________________________________________________________
*** CID 1537105: Memory - illegal accesses (OVERRUN)
/programs/pluto/kernel_xfrm.c: 735 in kernel_xfrm_policy_add()
729 /* only the first rule gets the worm; er tunnel flag */
730 unsigned mode = (kernel_policy->mode == ENCAP_MODE_TUNNEL ? XFRM_MODE_TUNNEL :
731 XFRM_MODE_TRANSPORT);
732 for (unsigned i = 0; i < kernel_policy->nr_rules; i++) {
733 const struct kernel_policy_rule *rule = &kernel_policy->rule[i];
734 struct xfrm_user_tmpl *tmpl = &tmpls[i];
>>> CID 1537105: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 24 bytes at byte offset 24 by dereferencing pointer "rule".
735 tmpl->reqid = rule->reqid;
736 tmpl->id.proto = rule->proto;
737 tmpl->optional = (rule->proto == ENCAP_PROTO_IPCOMP &&
738 xfrm_dir != XFRM_POLICY_OUT);
739 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
740 tmpl->family = address_type(&kernel_policy->dst.host)->af;
** CID 1537104: (OVERRUN)
/programs/pluto/kernel_xfrm.c: 851 in kernel_xfrm_policy_del()
________________________________________________________________________________________________________
*** CID 1537104: (OVERRUN)
/programs/pluto/kernel_xfrm.c: 862 in kernel_xfrm_policy_del()
856 * Add mark policy extension if present.
857 *
858 * XXX: again, can't the caller decide this?
859 *
860 * XXX: identical code in policy_add(), time to share?
861 */
>>> CID 1537104: (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 79 using argument "req.n.nlmsg_len" (which evaluates to 80).
862 add_xfrmi_marks(&req.n, sa_marks, xfrmi, xfrm_dir, sizeof(req.data));
863 add_sec_label(&req.n, sec_label);
864
865 bool ok = sendrecv_xfrm_policy(&req.n, expect_kernel_policy, "delete",
866 (direction == DIRECTION_OUTBOUND ? "(out)" :
867 direction == DIRECTION_INBOUND ? "(in)" :
/programs/pluto/kernel_xfrm.c: 888 in kernel_xfrm_policy_del()
882 *
883 * XXX: It's also called when transport mode!
884 */
885 dbg("xfrm: %s() deleting policy forward (even when there may not be one)",
886 __func__);
887 id->dir = XFRM_POLICY_FWD;
>>> CID 1537104: (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 79 using argument "req.n.nlmsg_len" (which evaluates to 80).
888 ok &= sendrecv_xfrm_policy(&req.n, IGNORE_KERNEL_POLICY_MISSING,
889 "delete", "(fwd)", logger);
890 }
891 return ok;
892 }
893
/programs/pluto/kernel_xfrm.c: 865 in kernel_xfrm_policy_del()
859 *
860 * XXX: identical code in policy_add(), time to share?
861 */
862 add_xfrmi_marks(&req.n, sa_marks, xfrmi, xfrm_dir, sizeof(req.data));
863 add_sec_label(&req.n, sec_label);
864
>>> CID 1537104: (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 79 using argument "req.n.nlmsg_len" (which evaluates to 80).
865 bool ok = sendrecv_xfrm_policy(&req.n, expect_kernel_policy, "delete",
866 (direction == DIRECTION_OUTBOUND ? "(out)" :
867 direction == DIRECTION_INBOUND ? "(in)" :
868 NULL),
869 logger);
870
/programs/pluto/kernel_xfrm.c: 851 in kernel_xfrm_policy_del()
845 const int family = dst_child_afi->af;
846 dbg("%s() using family %s (%d)", __func__, dst_child_afi->ip_name, family);
847
848 req.n.nlmsg_type = XFRM_MSG_DELPOLICY;
849 req.n.nlmsg_len = NLMSG_SPACE(sizeof(struct xfrm_userpolicy_id));
850 struct xfrm_userpolicy_id *id = NLMSG_DATA(&req.n);
>>> CID 1537104: (OVERRUN)
>>> Overrunning array of 16 bytes at byte offset 16 by dereferencing pointer "id".
851 id->dir = xfrm_dir;
852 set_xfrm_selectors(&id->sel, src_child, dst_child);
853 id->index = policy_id;
854
855 /*
856 * Add mark policy extension if present.
/programs/pluto/kernel_xfrm.c: 863 in kernel_xfrm_policy_del()
857 *
858 * XXX: again, can't the caller decide this?
859 *
860 * XXX: identical code in policy_add(), time to share?
861 */
862 add_xfrmi_marks(&req.n, sa_marks, xfrmi, xfrm_dir, sizeof(req.data));
>>> CID 1537104: (OVERRUN)
>>> Overrunning struct type nlmsghdr of 16 bytes by passing it to a function which accesses it at byte offset 79 using argument "req.n.nlmsg_len" (which evaluates to 80).
863 add_sec_label(&req.n, sec_label);
864
865 bool ok = sendrecv_xfrm_policy(&req.n, expect_kernel_policy, "delete",
866 (direction == DIRECTION_OUTBOUND ? "(out)" :
867 direction == DIRECTION_INBOUND ? "(in)" :
868 NULL),
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq8aBKViEpsZ9KPFMeJd7kKMDjyzu82COVFw1h1aYx-2FtFrefiPxkohPqZgI7DsTRPR5L954NuJuE0J6c4ee-2B5kYL1A7_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ38PRehiK-2Bp0hLyPgvotFakrqFw9Ipd6eAurWg-2FtqtVFJO-2Fe0-2BbkyzgzqAsnWekBfljlTFJRhYk-2FDsXKcPiCMarOXzHpboCx5GtdNFwfj0dlj51jX-2FXOhmXWq0zbZ9hev6mrnF1JxJOXgvAe3Qpd4PGVafRnHOuM04dZF-2Frnol4-2BIdgPoUG7hmKGYwRuGrTc0HE-3D
To manage Coverity Scan email notifications for "swan-dev at lists.libreswan.org", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxUzCfl-2FUi6sRJtnGH1-2FWXEIl9xkb2JliKiAkqgdujeIgWYvUCIHO1g-2Ba8I-2B0nANYHmrw9-2B13a9hJ7YOPZRdlHcEQfoMvDvjqsfrRNzFQ8lscduvXP5RLkPig71dIKudxi_bti_Cir5ZFqEb-2Fpy-2FZDdTxjwNXxDWd37ZfwlkdBT1REyQ38PRehiK-2Bp0hLyPgvotFakrqFw9Ipd6eAurWg-2FtqtVFJPv6RKJp3eui9isIZrgt4E8AFBLVYcniVX1CsfvcIh6MAdpHvbE-2FSuDwg0Z7iHU68tqmHp9-2F-2BlMv2WsESFgPnmOa65YlHMGdurK5FNwLhams5mD-2FzkxX7tzaetKELCnP7p-2B-2Fi1dQhbkyw-2FjSn2gEvtA-3D
More information about the Swan-dev
mailing list